I have come across various scanarios where System Administrators have installed IIS on Domain Controllers. They do it to efffectively utilize that server hardware, to cut down cost by preventing a need for another server for IIS, some application that needs to be installed on the DC requires IIS etc.
Microsoft does NOT recommend IIS on a Domain Controller running Active Directory. There are 2 mains reasons behind this stand.
1. By installing IIS on a DC, we will end up increasing the surface attack area on that DC, hence causing a threat to the security database of the domain. This may also effect the servers performance and reliability.
2. IIS would NOT work correctly as it mainly works with local users and groups which will now become domain users /groups. This would cause permission issues if the ACLs set on different IIS folders and Metabase is not updated correctly.
Below are a few articles that would give you some idea of the issues faced when IIS is installed on a Domain controller.
DCPROMO does not retain permissions on some IIS foldershttp://support.microsoft.com/default.aspx?scid=kb;EN-US;332097 How To Promote a Member Server Running IIS to a Domain Controller Running IIShttp://support.microsoft.com/kb/300432 FIX: ASP.NET does not work with the default ASPNET account on a domain controllerhttp://support.microsoft.com/default.aspx?scid=kb;EN-US;315158 Cannot install a Systems Management Server 2003 Management Point role on Windows Server 2003 domain controllers http://support.microsoft.com/default.aspx?scid=kb;EN-US;886213 Avoid installing IIS on a domain controllerhttp://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3a0742c4-f45a-4504-a232-83dd085bcfb3.mspx?mfr=true
DCPROMO does not retain permissions on some IIS foldershttp://support.microsoft.com/default.aspx?scid=kb;EN-US;332097
How To Promote a Member Server Running IIS to a Domain Controller Running IIShttp://support.microsoft.com/kb/300432
FIX: ASP.NET does not work with the default ASPNET account on a domain controllerhttp://support.microsoft.com/default.aspx?scid=kb;EN-US;315158
Cannot install a Systems Management Server 2003 Management Point role on Windows Server 2003 domain controllers http://support.microsoft.com/default.aspx?scid=kb;EN-US;886213
Avoid installing IIS on a domain controllerhttp://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3a0742c4-f45a-4504-a232-83dd085bcfb3.mspx?mfr=true
Part from the above resources, I strongly recommend viewing the webcast below as it will talk in detail on why IIS is not recommended on DC. This webcast also covers the issues you may face when you install IIS on DC and how it deal with it.
TechNet Webcast: Successfully Running IIS on a Domain Controller - Level 200http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032245355&Culture=en-US
To summarize, we don’t recommend installing IIS on DCs, but if you have to install it you need to be prepared to deal with issue related to IIS.
- Abizer